Email Phishing Is Serious Business

An inside look at how Fiserv CRO Murray Walton communicated an IT threat to 19,000 company associates.

Editor's Note: Communication was critical following the early-April Epsilon data breach in which a database containing names and email addresses of millions of Americans was compromised. But it wasn't only external communication between businesses and customers that was important. With the heightened threat of phishing attacks, effective internal communications was every bit as vital.

The following is an email sent by Murray Walton, Chief Risk Officer for Brookfield, Wis.-based Fiserv, to the company's 19,000 associates.

Phishing is the act of sending email intended to deceive the recipient into revealing personal information or taking an action that allows personal information to be extracted later. Most phishing schemes are designed to turn that personal information into money, either through identity theft or the hijacking of bank accounts or credit lines.
If you are on the receiving end of a phishing attempt, you receive an email that claims to be from a legitimate organization. It asks you to log on to a website whose address it provides, or it asks you to click an embedded link or open an attachment.

Perhaps the sender claims to be the Internal Revenue Service, and the email asserts that you owe back taxes, or a creditor or lawyer alleges you owe a debt. The type and amount of debt are supposedly described in an attachment you are asked to open.

Or the sender claims to be your bank, and the email asserts that your account will be frozen if you do not re-establish your username and password. The email contains a link where you are told to log in using your old credentials and establish new ones.

Or the sender claims to be from Desktop Support or Email Administrator, advising you of a problem that you can cure by following a link in the email where you would give the impostor your legitimate logon credentials.

Or the sender claims to be the HR department, and the email asks you to provide a comprehensive set of personal data because your HR records were supposedly lost due to a recent system conversion.

If you open the PDF that supposedly describes your debt, or go the fake bank website and log in with your real credentials, or provide personal information to the phony HR department or Email Administrator, you will be sorry. You will install malicious software on your computer that captures all of your keystrokes including usernames and passwords. Or you will give thieves login credentials they can use to drain your bank account or romp through your computer and any networked to it. Or you will give them the means to impersonate you and establish enough credit in your name to bury you in debt. Or you may unleash a virus that infects your computer, and sends out something equally poisonous to every person listed in your address book.

When things like this happen within most corporate environments, there are excellent defenses to blunt their impact. But what would you do if this kind of attack hit you at home, via your personal email? And how many of your business’ clients have corporate-class defenses in place? With the breach last month of the Epsilon email marketing firm, security experts predict we will see a spike in phishing attacks in the weeks and months ahead. Those who breached Epsilon now know that Sam Security, email address SammyS@phishbait.com, does business with specific banks, travel companies, retailers, and other companies, and they know how to reach him by email. They will use this information for phishing attacks that attempt to get information from him that can be monetized in some way, enriching them at his expense.

So what can we do? We can be smart and cynical, and adopt a trust-but-verify model for engaging with those phishers who reach out to us via email.

Murray Walton is Chief Risk Officer and head of Enterprise Risk & Resilience at Fiserv, Inc. He leads the teams responsible for business continuity, incident management, insurance, logical and physical security, PCI and regulatory compliance, and risk assessment and remediation for this Fortune 500 provider of information management, processing and electronic commerce services to the financial services industry. Murray joined Fiserv in 2006, building on more than 25 years of prior professional experience in financial services management, law and technology, including five years as Chief Compliance Officer at H&R Block and prior experience in banking and bank systems. Murray holds degrees in economics and law.